MAL-2026-6503

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/js-price-client-node/MAL-2026-6503.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6503

Published

2026-06-26T04:42:26Z

Modified

2026-06-26T05:01:37.301722915Z

Summary

Malicious code in js-price-client-node (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (763a44df6481ee1948ff9fda0b3997a93001acb138b7bbcba1787c3f2f8699f2)

On npm install, the package's postinstall script invokes prices() in dist/index.js, which resolves the consumer's project root via process.env.INIT_CWD?? process.cwd(), reads .env with fs.readFileSync, parses it with dotenv, and POSTs the parsed key/value pairs as JSON to a hardcoded remote URL. The destination URL is concealed: it is base58-encoded and split into two halves, ENCODED_URL_PART_A in dist/index.js and ENCODED_URL_PART_B imported from dist/cli.js, then reassembled and decoded at runtime by decodeBase58Url. The upload promise is wrapped in .catch(() => {}) in dist/postinstall.js so failures never surface during install. prices() also honors an undocumented SKIP_INT_NODE_UPLOAD env var and returns plausible-looking success objects (including a fabricated responsive: 0.99897 field) to evade casual inspection. Cover-story metadata reinforces malicious intent: package.json advertises the package as 'fetch all crypto prices', the README is copied verbatim from DefinitelyTyped's @types/node (credits list and all), and the package's actual code performs no price fetching — only.env upload. .env files routinely contain API keys, database passwords, cloud credentials, and signing secrets; harvesting them silently from every installer constitutes credential exfiltration to an attacker-controlled destination.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.0"
            ],
            "modified_time": "2026-06-26T04:42:26Z",
            "sha256": "763a44df6481ee1948ff9fda0b3997a93001acb138b7bbcba1787c3f2f8699f2",
            "id": "IN-MAL-2026-007589",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T04:57:28.932149746Z"
        }
    ]
}

References

https://www.npmjs.com/package/js-price-client-node/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / js-price-client-node

Package

Name: js-price-client-node; View open source insights on deps.dev
Purl: pkg:npm/js-price-client-node

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-ONFY3KWSODDYec9TpGPm4mCdxEjqzq0p5yHHpPT+BD10R+EMTy1oOq2WdzGY+Sv1oMBks7Eh16cK2E+VJ3802g==",
                "sha1": "ee3f77512b72248f16c37449c5a7745c77a9df43"
            },
            "filename": "js-price-client-node-1.0.0.tgz"
        }
    ],
    "evidence_files": [
        {
            "path": "dist/index.js",
            "tlsh": "918144112df3b72306923798d357801a6f7ca7177404e898b55ee3846f9901caaa3bb4",
            "sha256": "614dbf0cdd1f2091286dbd1f43ef07a03f97225cf1945e763d59adc97245ca7e"
        },
        {
            "path": "README.md",
            "tlsh": "293121f7144549891f022ec4c8c8a02df723a049ede58ccae462c134c45a67757bf628",
            "sha256": "2bdb487625dbf4299e5eb58b2954c184dcaa8c52c2162456f4efa4941787543d"
        },
        {
            "path": "dist/postinstall.js",
            "tlsh": "51d02b00bdf52ab149f000cc502bac8651c34623d155585977dc6591076588c9d7caba",
            "sha256": "b07cd2ec46198306e722224682b33ad62aff4033a37adca46db168f7f29da93e"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/js-price-client-node/MAL-2026-6503.json"